This is how you verify it within 5 minutes if your computer is compromised. Use a virtual machine, install Skype and ESET on it, if you get the same warning then this is either a localized issue because of your location ( Israel ) or a misconfigured server.
–
RamhoundDec 5 '12 at 14:18

2

@Ramhound - good idea, though the promise of 5 minutes is not realistic. This message does not appear on any predictable basis, so it could be days before it ever happens. Being that this is the case, if we're lucky the message will appear again, but if it doesn't appear, it doesn't prove that I've been compromised; it could just mean that all the supernodes Skype is using have valid SSL certificates...
–
Shaul BehrDec 5 '12 at 14:23

It not always appearing is important information. Yes, 5 minutes is not realistic, but you understood the purpose of it. The end result is you verify if the warning appears on the virtual machine even if its eventually.
–
RamhoundDec 5 '12 at 14:29

I have uninstalled and reinstalled Skype from a clean download; let's see if this makes a difference...
–
Shaul BehrDec 6 '12 at 15:17

So it looks like a legitimate company, but I don't fancy going on their website to work out what they do. I'd guess that their site has been compromised and is now being used as a command and control server.

I'd guess you've got some sort of malware that has injected a thread into Skype, since it's a program that's usually allowed to communicate with the network. Since your machine is likely compromised, my recommendation is to nuke it from orbit and start over.

Um... you sure that's not overkill? I mean, if my computer indeed has been compromised, then I accept that it may be necessary to nuke it. I have not, to my knowledge, done anything that would have allowed my computer to be compromised, and I am the only user. Nuking my computer is going to come at a pretty big cost to me. I want to be totally sure that this is really a bona fide attack, not that I'm going to lose a bunch of data and a couple days of productivity just on the suspicion that my computer might have been compromised...
–
Shaul BehrDec 5 '12 at 10:59

2

In general, if there is any compromise then you cannot be sure of removing it unless you wipe and rebuild. Definitely make sure that it is a compromise first (Skype is quite profligate with contacting supernodes) but it sounds from @Poly's initial research that this is malicious.
–
Rory Alsop♦Dec 5 '12 at 11:13

1

The remote servers are not all in Ukraine, but AFAIR they do tend to be in the FSU.
–
Shaul BehrDec 5 '12 at 12:00

2

Poly, with all respect, I'm not nuking my computer on the off chance that maybe it's infected, when there's a very plausible and reasonable alternative explanation on offer. Same way when I get a headache, I take paracetamol before moving on to morphine.
–
Shaul BehrDec 5 '12 at 14:31

This might simply be a Skype Supernode(I no longer think so), that said, I think there are some red flags:

The server is in Ukraine and it belongs to a company that doesn't seem to have business with Microsoft/Skype, and they don't seem to be in a position to host a Skype Supernode.

Server is running ProFTPD 1.2.10 behind an open port 21. I don't see why a Skype supernode (supposed to be secured and whatnot) is running an FTP server like that, instead of tunneling through SSH (SFTP)

Nmap scan reveals SMTP (465), IMAP (993), POP3(995). Which doesn't look very Skype Supernodish to me, I'd rather say it's being used as a spam-generation server.

If you're looking for someone to tell you what to do and take responsibility for your own actions, that's not gonna happen. The data is here, based on MY judgment I stand with Polynomial's opinion, this looks like something to worry about.

Skype uses a Peer to Peer model to route "calls" through the internet which means that part of the lookup function is being routed through unknown third parties.

Microsoft (when they bought Skype) changed the model earlier this year so that it mainly routes through semi-trusted nodes (i.e. not some guys home broadband!) which they call "Supernodes" - apparently they are in "secure datacentres" and are , obviously spread around the globe.

Aha, very interesting! So you think this Ukrainian site is just a supernode?
–
Shaul BehrDec 5 '12 at 12:35

they're probably a local Microsoft supplier who have agreed to host a Skype supernode. In the good old days of Skype, everyone was a node in a pure P2P networking sense.
–
Callum WilsonDec 5 '12 at 13:29

Right, so the only reason ESET is reporting it is because their SSL certificate has expired, or something like that? Sounds reasonable...
–
Shaul BehrDec 5 '12 at 14:15

2

@Shaul - Verify this. Use a clean virtual machine. If you get the same error message then its a misconfigured server, if you don't get the error, then your host operating system is infected.
–
RamhoundDec 5 '12 at 14:21

Well, after everything, I ran several antivirus checks, from different AV vendors, and nothing suspicious was found. I logged support calls with both ESET and Skype regarding this issue. The folks at ESET told me over the phone that it's safe to approve, and Skype email tech support wrote:

We can assure you that this is not due to malware.

I couldn't get anyone to explain exactly why Skype is communicating over SSL to arbitrary untrusted hosts, but given this reassurance from I at least do not feel the need to nuke from orbit, even if I do keep pressing "No" when this message appears.

And I think customer support are idiots who thought you were talking about a supernode and didn't even bother to check the website in question. This sounds like an infection to me. As Skype normally starts up along with Windows, it's a prime candidate for injection.
–
Mints97Apr 9 at 11:11

@Mints97 well, it's been over 2 years since I asked the question; I did not nuke from orbit, and everything seems to have been fine since then... maybe I just got lucky... :)
–
Shaul BehrApr 11 at 18:48